ico. 


Information Commissioner's Office 


Audit Committee minutes 


Friday 15 J une 2018 


Members: 


Ailsa Beaton (chair) 


Roger Barlow 


Jane McCall 


Attendees: 


ICO 

Louise Byers 
Elizabeth Denham 
Heather Dove 


Internal Auditors 
Michaela Spiller 
Peter Cudlip 


External Auditors 
Paul Keane 
David Eagles 
Mark Colman 


Secretariat 
Peter Bloomfield 
Caroline Robinson 


Non-Executive Director 
Independent Audit Committee 
member 

Non-Executive Director 


Head of Risk and Governance 
Information Commissioner 
Head of Finance 


Mazars 
Mazars 


National Audit Office 
BDO (joined by phone for item 5) 
BDO 


Senior Corporate Governance Manager 
Corporate Governance Officer 


1. Introductions and apologies 
1:1; Apologies were received from Paul Arnold. 


2. Declaration of interests 
2.1. No declarations were made. 


3. Matters arising from the previous meeting 
3.1. The minutes of the previous meeting were agreed. 


3:2. Louise Byers updated the Committee on the outstanding 
action regarding the timing of a decision as to whether or not 
the ICO should set up a remuneration committee. A proposal 
relating to this matter would be put to the August 
Management Board. However, it was emphasised that the 
matter would also be discussed with ICO trade unions as it 
was linked to current negotiations on pay. 


3-3- Management confirmed that a final decision on the 
setting up of a remuneration committee rested with the 
Commissioner who would receive advice from the Board. 


3.4. Ailsa Beaton suggested that if a remuneration 
committee was proposed to the Board, it ought to operate 
proactively; identifying issues in advance and acting on them. 


4. Commissioner’s update 


4.1. Elizabeth Denham updated the Committee on major 
issues affecting the ICO, in particular the commencement of 
the Data Protection Act 2018 and implementation of the 
GDPR in late May. The ICO had faced unprecedented 
numbers of enquiries about the changed legislation and had 
seen a surge in new registrations. 


4.2. She also advised the Committee of progress in 
recruiting to the new Director level of management at the 
ICO, with ten new Director posts currently being interviewed 
for. Anew temporary position of Executive Director 
Technology Policy and Innovation had also been advertised. 


4.3. It was confirmed that a new probation policy would be 
in place in the near future. 
4.4. It was observed that the high media and political profile 


of the ICO at the moment and its pay flexibility had helped 
improve the retention of existing staff and the recruitment of 
new staff. 


4.5. Finally the Commissioner explained that for the first 
time an Information Commissioner had been asked to appear 
before the European Parliament to discuss the handling of 
high profile investigations. 


. External Audit - Audit completion report 


D1, Mark Coleman representing the external auditors 
confirmed that they were anticipating recommending to the 
Comptroller and Auditor general that he should certify the 
2017-18 financial statements with an unqualified audit 
opinion. 


5.2. The unadjusted misstatement of £118,000 was 
highlighted. The Committee agreed that the unadjusted 
misstatement was below the materiality threshold and 
confirmed that they were comfortable with the 
recommendation not to adjust the accounts. 


5.3. The Committee confirmed that they were not aware of 
any fraud. 
5.4. The Committee noted the draft audit certificate and 


recommended that the Information Commissioner, Elizabeth 
Denham, sign the letter of representation. 


5,5; In respect of progress in finalising the management 
agreement with DCMS, this still remained in draft but it was 
expected to be finalised shortly. The intention was to reflect 
the Commissioner’s independence, and the newly agreed pay 
flexibility in the document. There was also discussion as to 
the recommendation around payment control weaknesses. 
The Committee questioned why it had been included as 
management had confirmed that the current control was 
permanent. BDO explained that the recommendation would 
be removed from the audit completion report for 2018-19. 


5.6. The Committee noted that MyCSP had not as yet 
provided pensions information to inform the Remuneration 
Report. NAO reported that it had seen improvements in the 
MyCSP service to other organisations. However in the case of 
the ICO the pension’s information remained outstanding with 
no indication as to when it would become available. 


Action Point 1: Peter Bloomfield to investigate the 
reasons for the delay in receiving the needed pensions 
information and to initiate steps to ensure a timely 
process next year. 


5.7. The Chair thanked BDO and the Finance Department for 
the hard work and cooperation involved in preparing the 


accounts and in preparing the audit report. The early flagging 
up and addressing of issues had helped smooth the process 
and was appreciated by the Committee. 


6. Audit Committee Annual Report 2017-18 


6.1. The report is the Committee’s formal assurance to the 
Commissioner. 
6.2. This draft reflected the internal audit opinion that had 


come to the previous committee meeting in draft format and 
which had been circulated to Committee members prior to 
this meeting as a finalised document. The document also 
anticipated the clean external audit opinion given earlier in 
the meeting but wording needed to be agreed. 


6.3. The Committee agreed the draft subject to minor 
amendments relating to clarifying that Committee members 
had had sight of the finalised internal audit opinion, the 
appointment of the new internal auditors, and consideration 
of the timing of the report’s publication. The final version as 
then to be cleared by the Committee chair. 


Action Point 2: Peter Bloomfield to amend the 
document as discussed and clear it for publication with 
the chair of the Audit Committee. 


7. ICO Annual Report and Accounts 2017-18 


Tks The most recent version of the ICO Annual Report and 
Accounts 2017-18 was presented for discussion and 
clearance in so far as possible. As already noted the pension’s 
information was still to be received and the Commissioner’s 
foreword was still in draft. However the rest of the document 
was near final. 


7.2. In respect of the Remuneration Report there were 
concerns about the accuracy of some of the figures and about 
the use of £5k bands. The report would be checked for 
accuracy by HR, Finance and the external auditors before it 
was signed and presented for certification. In addition 
footnotes would be added to highlight where senior managers 
had only been in post for part of the financial year. 


T:3: The Committee asked that figures for ICO income in the 
section detailing the long term expenditure trends should be 
rounded. It was also highlighted that current estimates on fee 
income had changed and that figures in the report needed to 
be updated accordingly. 


7.4. The Committee also expressed the view that more detail 
should be included in the operational performance analysis. 


Action Point 3: Peter Bloomfield to make the 
necessary amendments to the draft Annual Report and 
Accounts 2017-18. 


8. Risk and opportunity management 


8.1. Louise Byers introduced the risk and opportunity 
register, highlighting recent changes. There would be a more 
in-depth review of the register at the October meeting. 


8.2. The Committee asked about the impact on both the 
risks and opportunities, and on their management, from the 
introduction of the new Director level of managers. Louise 
Byers explained that there had been some initial discussion 
on this and that the ownership and actions of the risks in 
particular should be reviewed in light of the appointment of 
the new Directors. Further work would be done on this. 


9. Finance 


9.1. Heather Dove introduced the May finance report, 
highlighting issues of interest. 


9.2. Data Protection fee income is up, showing a 9% 
increase in the second month of the financial year. The 
income forecast will be revised in August once several more 
monthly figures are available. 


10. Outstanding audit actions 


10.1. Peter Bloomfield confirmed that there are no late 
recommendations and that one recommendation, relating to 
ownership of printer disks, had been cleared. 


Action Point 4: Peter Bloomfield to change the 
completion date for the Remuneration Committee. 


11. Internal audit update 


11.1. Peter Cudlip confirmed that Mazars had recently finished 
the fieldwork on the assurance mapping review and were in 
the process of planning further reviews. They had also 
established good relationships with key management. 


11.2. The Committee agreed to bring the date for the October 
meeting forward to 15 October. This could have an impact on 
delivery of the Cyber Security review. 


Action Point 5: Mazars and Corporate Governance to 
review the dates for the Cyber Security review in light 
of the change to the Audit Committee date with the 
aim, if possible, of bringing the report to the 
Committee on the new date. 


12. Lessons learnt - website incident 


12.1. Louise Byers presented a report on lessons learnt from 
a recent issue involving the |CO’s accessibility software on its 
website. 


13. Any other urgent business 


13.1. Elizabeth Denham thanked the committee for their 
advice. 


